University Policies

Intrusion Detection Policy

Information Technology Services
Information Technology Services

Awareness of circumstances that may represent a security breach is an important part of ongoing security administration. It is imperative that problems be discovered at the earliest possible time to minimize damage or loss.

Intrusion detection must be employed on all servers and networks that process or store critical business information.

  • Intrusion detection technologies that recognize both network and host attack signatures must be employed. Intrusion detection tools must be in accordance with Worcester State standards. Intrusion detection systems must use a centralized model for data collection and analysis.
  • Intrusion detection sensors/agents must be installed on any local area network segment or host system on which critical computing or information resources reside. Critical resources include, but are not limited to: database servers, authentication domain servers, security servers, messaging servers, Web (http) servers, and file servers.
  • The intrusion detection system must not be disabled to avoid excessive false alarms. Intrusion detection must be set to a sensitivity level that minimizes false alarms, while ensuring that critical events are not missed.
  • Response options to suspicious activity or attack must include logging, paging, e-mail notification, running a user-defined process and session termination.
  • Event logs must be monitored daily. Critical events must generate an alarm and be analyzed and responded to immediately. Log data may be required to establish a pattern of attack or abuse over a sustained time period, or to pursue legal action against a suspected intruder. Consequently, event logs must be archived for not less than forty (40) days.
  • Security events must be reported in accordance with the Security Incident Reporting and Response policy. Significant security events must be documented, in writing, for dissemination to other enterprise security personnel within forty-eight (48) hours of first occurrence. Dissemination must be at the discretion of, and through, the Information Security Director.
  • The University will contract with a third party vendor on an annual basis for the purposes of an intrusion detection audit of University network and network resources.